The present invention relates to a system and method for analyzing and maintaining backup files and/or objects against compromised security components, fraudulent activity, malicious software and other.
The following description includes information that may be useful in understanding the present invention. It is not an admission that any of the information provided herein is prior art or relevant to the presently claimed invention, or that any publication specifically or implicitly referenced is prior art.
It is very common to any kind and level of organizations to perform periodically a backup of their computer systems to prevent loss of data. Backup copies allow recovery of data in the event of a system crash, natural disaster, cyberattack, or operator error that causes data stored on the system to be destroyed or lost. Thus, while malicious components, compromised security elements, fraudulent activity can be still present on the operating systems, a backup procedure can be performed, containing and archiving such undetected malicious components.
In the context of data integrity and availability in a form of fraud prevention and detection in information systems, much internal organizational fraud/malicious activity is facilitated by the manipulation of digital data. Such data includes email, documents, spreadsheets, databases and, of course, accounting records. Changes of digital data over time, particularly deletions, are extremely difficult to discover or track. For example, a missing digital document or email may not be noticeable precisely because the object no longer exists. Something that does not exist, where a trail is not noticeable or nonexistent, is difficult or impossible to see.
U.S. Pat. No. 8,805,925 discloses method and apparatus for maintaining high data security and for providing a secure audit for fraud prevention and detection various where comparisons of computer folders from different points in time are performed. Such comparisons provide the ability to discover missing documents or documents with modification dates that have changed when there would otherwise have been no need to change them and thus allows discovery of missing documents to discover fraud or to search for evidence after a fraud is suspected. In another embodiment, deltas in accounting system vendor invoice accounts are compared at different points in time, potentially exposing the practice of moving fraudulent vendor transactions into a large group of legitimate transactions for a legitimate vendor. Per period transaction totals for specific periods for legitimate vendors are compared over historical time for suspicious activity. A comparison of reports from the two different periods, using exact data and software from those separate periods (instead of reporting from “current” data), may raise a red flag otherwise missed.
In the context of protecting data integrity and confidentiality from malware in computers and machines, a virus is a self-replicating/self-reproducing-automation program that spreads by inserting copies of itself into other executable code or documents. Though the term “virus” may be defined as a type of malware (malicious software), it is common to use “virus” to refer to any kind of malware, including worms, Trojan horses, spyware, adware, etc. Computer antivirus programs are commonly used to detect, clean, and remove computer viruses from compromised objects such as data files. One form of detection typically used is scanning of objects resident on a hosting computer system's storage device(s). Objects are scanned for the presence of an embedded virus, and the scanning may be either signature-based or heuristic (such as watching for suspicious behavior). However, signature-based virus scanning relies on signatures obtained from previously-identified viruses and does not detect viruses that have not yet been identified and analyzed (“day-zero” or “zero-day” attacks). These are attacks that have no known solution and/or detection signature. Existing heuristic methods are not foolproof and may fail to detect virus attacks. Thus, antivirus programs may not know that an object has been compromised. Of these multiple malware components, some are known to anti-malware databases and anti-malware software vendors, but frequently not all of the components are known. Thus, even upon a detection of infection by the malware in real-time, the antivirus software removes the malware on the computer, but only of those components which are known to it. Once the removal is complete, the anti-malware software is configured to report that the incident is over, and program operations proceed as before. However, malware components that were unknown to the anti-malware software can remain performing malicious activity without the user being aware of it.
Several methods where analyzing and detecting malware in computer systems are known.
U.S. Pat. No. 7,472,420 discloses a system, method, and computer program product for identifying malware components on a computer, including detecting an attempt to create or modify an executable file or an attempt to write to a system registry; logging the attempt as an auditable event; performing a malware check on executable files of the computer; if malware is detected on the computer, identifying all other files created or modified during the auditable event, and all other processes related to the auditable event; terminating the processes related to the auditable event; deleting or quarantining the executable files created or modified during the auditable event; and if the deleted executable files include any system files, restoring the system files from a trusted backup. Optionally, all files and processes having a parent-child relationship to a known malware component or known compromised file are identified. A log of auditable events is maintained, and is recoverable after system reboot.
U.S. Pat. No. 8,468,604 discloses a method for protecting objects in a computer system against malware. An object is analyzed to determine whether it is compromised by malware, and if it is determined to be compromised, a backup copy of the object is located in a backup of the objects. The compromised object is replaced with the backup copy.
U.S. Pat. No. 8,527,465 discloses a system and method for identifying file system events over time using at least two consecutive backup images for the file system. Using consecutive backup images for the file system enables the present invention to identify whether files have been created, removed or altered between backup operations, without actually interfering or interacting with the file system itself. As a result, the information gathered may be compiled to generate a more accurate file system model for the backed up file system. As a further result, the present invention is a less invasive way to gather information about file system events. The system however is directed to determine common file system events in order to generate a more accurate file system model, and does not disclose analyzing and maintaining data security in backup data files and/or objects against malicious activity and system security irregularities/anomalies.
None of the current technologies and prior art, taken alone or in combination, does not address analyzing and maintaining data security on all three levels of data security in backup data based on comparison of one or more backup systems initiated in one or more different periods of time. The known technologies in prior art address a real-time threat, fraud and malware detection techniques taught in the prior art occur at different layers in the operable computer system, not retroactively at the backup system and/or servers. Because the present invention operates at backup system, it has the ability to analyze general behaviors associated with compromised data matching security signatures retroactively, performing an additional step of problem detection, if such was missed in the operating system.
Therefore, there is a long felt and unmet need for a system and method that overcomes the problems associated with the prior art. The present invention provides a system and method for analyzing and maintaining data security in backup data files and/or objects against malicious activity and system security anomalies.
As used in the description herein and throughout the claims that follow, the meaning of “a,” “an,” and “the” includes plural reference unless the context clearly dictates otherwise. Also, as used in the description herein, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
All methods described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g. “such as”) provided with respect to certain embodiments herein is intended merely to better illuminate the invention and does not pose a limitation on the scope of the invention otherwise claimed. No language in the specification should be construed as indicating any non-claimed element essential to the practice of the invention.
Groupings of alternative elements or embodiments of the invention disclosed herein are not to be construed as limitations. Each group member can be referred to and claimed individually or in any combination with other members of the group or other elements found herein. One or more members of a group can be included in, or deleted from, a group for reasons of convenience and/or patentability. When any such inclusion or deletion occurs, the specification is herein deemed to contain the group as modified thus fulfilling the written description of all Markush groups used in the appended claims.